SNOW-1524258: Implement GCM encryption

lib/file_transfer_agent/encrypt_util.js

@@ -13,9 +13,8 @@
 
 const QUERY_STAGE_MASTER_KEY = 'queryStageMasterKey';
 const BASE64 = 'base64';
-const DEFAULT_DATA_AAD = Buffer.from('default data aad');
-const DEFAULT_KEY_AAD = Buffer.from('default key aad');
-const AUTH_TAG_LENGTH = 16;
+const DEFAULT_AAD = Buffer.from('');
+const AUTH_TAG_LENGTH_IN_BYTES = 16;
 
 // Material Descriptor
 function MaterialDescriptor(smkId, queryId, keySize) {
@@ -132,6 +131,12 @@
       keySize * 8
     );
 
+    if (keyIv && dataAad && keyAad) {
+      keyIv = keyIv.toString(BASE64);
+      dataAad = dataAad.toString(BASE64);
+      keyAad = keyAad.toString(BASE64);
+    }
+
     return new EncryptionMetadata(
       encryptedKey.toString(BASE64),
       dataIv.toString(BASE64),
@@ -170,24 +175,24 @@
 
   //TODO: Add proper usage when feature is ready (SNOW-940981)
   this.encryptDataGCM = function (encryptionMaterial, data) {
     const decodedKek = Buffer.from(encryptionMaterial[QUERY_STAGE_MASTER_KEY], BASE64);
     const keySize = decodedKek.length;
 
     const dataIv = getSecureRandom(AES_GCM.ivSize);
     const fileKey = getSecureRandom(keySize);
 
-    const encryptedData = this.encryptGCM(data, fileKey, dataIv, DEFAULT_DATA_AAD);
+    const encryptedData = this.encryptGCM(data, fileKey, dataIv, DEFAULT_AAD);
 
     const keyIv = getSecureRandom(AES_GCM.ivSize);
-    const encryptedKey = this.encryptGCM(fileKey, decodedKek, keyIv, DEFAULT_KEY_AAD);
+    const encryptedKey = this.encryptGCM(fileKey, decodedKek, keyIv, DEFAULT_AAD);
     return {
-      encryptionMetadata: createEncryptionMetadata(encryptionMaterial, keySize, encryptedKey, dataIv, keyIv, DEFAULT_DATA_AAD, DEFAULT_KEY_AAD),
+      encryptionMetadata: createEncryptionMetadata(encryptionMaterial, keySize, encryptedKey, dataIv, keyIv, DEFAULT_AAD, DEFAULT_AAD),
       dataStream: encryptedData
     };
   };
 
   this.encryptGCM = function (data, key, iv, aad) {
-    const cipher = crypto.createCipheriv(AES_GCM.cipherName(key.length), key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const cipher = crypto.createCipheriv(AES_GCM.cipherName(key.length), key, iv, { authTagLength: AUTH_TAG_LENGTH_IN_BYTES });
     if (aad) {
       cipher.setAAD(aad);
     }
@@ -196,13 +201,13 @@
   };
 
   this.decryptGCM = function (data, key, iv, aad) {
-    const decipher = crypto.createDecipheriv(AES_GCM.cipherName(key.length), key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const decipher = crypto.createDecipheriv(AES_GCM.cipherName(key.length), key, iv, { authTagLength: AUTH_TAG_LENGTH_IN_BYTES });
     if (aad) {
       decipher.setAAD(aad);
     }
     // last 16 bytes of data is the authentication tag
-    const authTag = data.slice(data.length - AUTH_TAG_LENGTH, data.length);
-    const cipherText = data.slice(0, data.length - AUTH_TAG_LENGTH);
+    const authTag = data.slice(data.length - AUTH_TAG_LENGTH_IN_BYTES, data.length);
+    const cipherText = data.slice(0, data.length - AUTH_TAG_LENGTH_IN_BYTES);
     decipher.setAuthTag(authTag);
     return performCrypto(decipher, cipherText);
   };
@@ -244,20 +249,20 @@
     const fileContent = await new Promise((resolve, reject) => {
       fs.readFile(inputFilePath, (err, data) => {
         if (err) {
           reject(err);
         }
         resolve(data);
       });
     });
 
-    const encryptedData = this.encryptGCM(fileContent, fileKey, dataIv, DEFAULT_DATA_AAD);
+    const encryptedData = this.encryptGCM(fileContent, fileKey, dataIv, DEFAULT_AAD);
     const encryptedFilePath = await writeContentToFile(tmpDir, path.basename(inputFilePath) + '#', encryptedData);
 
     const keyIv = getSecureRandom(AES_GCM.ivSize);
-    const encryptedKey = this.encryptGCM(fileKey, decodedKek, keyIv, DEFAULT_KEY_AAD);
+    const encryptedKey = this.encryptGCM(fileKey, decodedKek, keyIv, DEFAULT_AAD);
 
     return {
-      encryptionMetadata: createEncryptionMetadata(encryptionMaterial, fileKey.length, encryptedKey, dataIv, keyIv, DEFAULT_DATA_AAD, DEFAULT_KEY_AAD),
+      encryptionMetadata: createEncryptionMetadata(encryptionMaterial, fileKey.length, encryptedKey, dataIv, keyIv, DEFAULT_AAD, DEFAULT_AAD),
       dataFile: encryptedFilePath
     };
   };
@@ -291,13 +296,17 @@
     const keyBase64 = metadata.key;
     const keyIvBase64 = metadata.keyIv;
     const dataIvBase64 = metadata.iv;
+    const dataAadBase64 = metadata.dataAad;
+    const keyAadBase64 = metadata.keyAad;
 
     const decodedKek = Buffer.from(encryptionMaterial[QUERY_STAGE_MASTER_KEY], BASE64);
     const keyBytes = new Buffer.from(keyBase64, BASE64);
     const keyIvBytes = new Buffer.from(keyIvBase64, BASE64);
     const dataIvBytes = new Buffer.from(dataIvBase64, BASE64);
+    const dataAadBytes = new Buffer.from(dataAadBase64, BASE64);
+    const keyAadBytes = new Buffer.from(keyAadBase64, BASE64);
 
-    const fileKey = this.decryptGCM(keyBytes, decodedKek, keyIvBytes, DEFAULT_KEY_AAD);
+    const fileKey = this.decryptGCM(keyBytes, decodedKek, keyIvBytes, keyAadBytes);
 
     const fileContent = await new Promise((resolve, reject) => {
       fs.readFile(inputFilePath, (err, data) => {
@@ -308,7 +317,7 @@
       });
     });
 
-    const decryptedData = this.decryptGCM(fileContent, fileKey, dataIvBytes, DEFAULT_DATA_AAD);
+    const decryptedData = this.decryptGCM(fileContent, fileKey, dataIvBytes, dataAadBytes);
     return await writeContentToFile(tmpDir, path.basename(inputFilePath) + '#', decryptedData);
   };
 
@@ -324,7 +333,7 @@
     await new Promise((resolve, reject) => {
       tmp.file({ dir: tmpDir, prefix: path.basename(inputFilePath) + '#' }, (err, path, fd) => {
         if (err) {
           reject(err);
         }
         outputFilePath = path;
         outputFileFd = fd;
@@ -348,7 +357,7 @@
     await new Promise((resolve, reject) => {
       fs.close(outputFileFd, (err) => {
         if (err) {
           reject(err);
         }
         resolve();
       });
@@ -362,7 +371,7 @@
     await new Promise((resolve, reject) => {
       tmp.file({ dir: tmpDir, prefix: prefix }, (err, path, fd) => {
         if (err) {
           reject(err);
         }
         outputFilePath = path;
         outputFileFd = fd;
@@ -372,7 +381,7 @@
     await new Promise((resolve, reject) => {
       fs.writeFile(outputFilePath, content, err => {
         if (err) {
           reject(err);
         }
         resolve();
       });
@@ -380,7 +389,7 @@
     await new Promise((resolve, reject) => {
       fs.close(outputFileFd, (err) => {
         if (err) {
           reject(err);
         }
         resolve();
       });

test/unit/file_transfer_agent/encrypt_util_test.js

@@ -93,16 +93,13 @@ describe('Encryption util', function () {
         }
         return new createWriteStream;
       },
-      closeSync: function () {
-        return;
+      close: function (fd, callback) {
+        callback(null);
       }
     });
     mock('temp', {
-      fileSync: function () {
-        return {
-          name: mockTmpName,
-          fd: 0
-        };
+      file: function (object, callback) {
+        callback(null, mockTmpName, 0);
       },
       openSync: function () {
         return;